Detail of a calendar page with dates

A week in security (Sep 18 – Sep 24)

Last week, we listed 10 ways one can secure their mobile devices, issued a warning about a scam posted on our Facebook page about ATM heists, discussed a form of hijacking involving the Windows hosts file, and gave readers a bird’s eye view of what happens to their healthcare data after a breach.

Malware Intelligence Analyst Christopher Boyd provided insights on a trend that young pop singers like Sebastian Olzanski and Jack Johnson had done that involved the use of their fans’ social network credentials. Will we see a third “send me your login for a marketing gimmick” stunt soon?

Lastly, Senior Security Researcher Jérôme Segura revealed a malvertising campaign on the website, Just For Men. The attack was said to be a drive-by download of the RIG exploit kit, which then downloaded and installed a credential-stealing Trojan.

For our Mobile Menace Monday and PUP Friday installments, we pushed out the following posts, respectively:

/blog/cybercrime/2016/09/mobile-menace-monday-fake-av-makes-it-onto-google-play/ /blog/threat-analysis/2016/09/pup-friday-nikoff-security/

Notable news stories and security-related happenings:

  • Google Play Spyware Apps Target Business Travellers. “Malware authors have once again succeeded in bypassing Google’s security vetting processes, and planted four spyware applications in the company’s Play app store. Security vendor Lookout alerted Google to the existence of four apps incorporating the Overseer spyware, which exfiltrates information from users’ Android devices. Google removed the apps from the Play store after Lookout notified the online giant about the threat. The Overseer malware was found in an embassy finder tool. Overseer targets foreign travellers, Lookout said, and could be used to spy on executives on business trips.” (Source: IT News)
  • Criminals Target Reddit With Drive-by Malware Attack To Empty Cryptocurrency Wallets. “Although attack details are rather difficult to come by right now, it appears there is another scam link making the rounds in cryptocurrency circles. As it turns out, a hacker can easily steal one’s Reddit account credentials. That is not entirely surprising, as any platform relying on usernames and passwords is conducting horrible security practices. The Reddit user who got hacked noticed how his profile was used to post on various cryptocurrency subreddits. All posts included a link to a malicious website, which seems to be infecting visitors with malware. By disguising links as a so-called price update, it is possible many people clicked the URL without even knowing what went on in the background.” (Source: The Merkle)
  • Malware Inc: Malware Means Big Money for Bad Guys. “As legitimate companies go about offering products or services, attracting customers and building revenues and profits, a different commerce model rakes in huge payouts. Operating in the shadows, it is the market that traffics in stolen personal identities, plundered corporate trade secrets and leaked sensitive government information. This business netherworld is built and maintained by cybercriminals, who then find products and services in it much the same way any consumer would—by going online and looking. They have many options from which to choose.” (Source: American Security Today)
  • Connected Devices Riddled With Badly-coded APIs, Poor Encryption. “The advent of home automation and rapid rise of smart home connected devices is seeing some vendors and new startups scramble to become a part of the movement, with ABI Research forecasting 360 million smart home device shipments by 2020. Unfortunately, many companies are leaving major security flaws in the wake of their hurried attempts to penetrate the market, producing products riddled with bugs and unpatched vulnerabilities. Ignoring cybersecurity at the design level provides a wide open door for malicious threat actors to exploit smart home products.” (Source: Help Net Security)
  • Is Your Printer About To Launch A Cyber Attack? “Many businesses are set up with a printer per desk or team, but owners are unaware that having departmental printers sprinkled throughout an office can be an easy source for a data breach. Unbeknownst to many in an office environment, modern printers now contain a wealth of confidential data, in both electronic and hard copy format, making them vulnerable to attack. Millions of pages are printed in offices across the country every day, but many of these eventually head straight to the shredder as they are churned out and forgotten about. The risk here is figuring out whose eyes are – and aren’t – allowed to see the documents sitting on the printer, ready for pick up.” (Source: Minute Hack)
  • Why It’s Time To Start Developing A Drone Security Strategy. “Everyone is familiar with the military use of drones. You’ve probably heard about Amazon’s plans to deliver commercial goods to consumers via drones. And Google is reportedly developing solar-powered drones that will deliver high-speed Internet. There’s no limit to the beneficial uses of drone technology. Dropping Zika-fighting pesticides or firefighting chemicals in remote areas. Search and rescue. Delivering emergency medical supplies. The list goes on and on.” (Source: Network World)
  • 10 Steps To Protect Against Higher Ed ‘Hacktivism’. “According to a number of cybersecurity experts, no platform or industry is immune from data breaches, especially as targeted “hacktivism” is on the rise, says John Wethington, cybersecurity executive at Ground Labs. But if the cloud is ‘only as safe as the administrative credentials of a single person,’ how can colleges and universities focus on identifying all of the data they have and reducing their digital footprint? In 2015, Ken Westin, senior security analyst at Tripwire, as well as FBI experts working the case, said Penn State’s attack by Chinese cyber terrorists was part of a larger campaign targeting similar departments and groups in higher education in a search for intellectual property.” (Source: eCampus News)
  • The Biggest Cybersecurity Threats Are Inside Your Company. “When security breaches make headlines, they tend to be about nefarious actors in another country or the catastrophic failure of technology. These kinds of stories are exciting to read and easier for the hacked company to admit to. But the reality is that no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company. The role that insiders play in the vulnerability of all sizes of corporations is massive and growing. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors.” (Source: Harvard Business Review)
  • Is Your Connected Car Open To Cyber Attack? “Technology in today’s cars is so hackable that those aboard are now at physical risk of their vehicles being intentionally crashed, warns a leading New Zealand cyber-security company. While the breach of a website can result in loss of reputation or sensitive company information, a breach of computerised systems aboard a vehicle can result in physical risk and even loss of life, says the Wellington-based company, Aura Information Security. The warning is contained in an opinion piece written by security consultant Vladimir Wolstencroft.” (Source: Stuff – New Zealand)
  • Xiaomi Smartphones Come Equipped With Backdoor. “When you buy a new mobile device with certain apps already pre-installed on, you’re effectively forced to trust that the device maker or reseller (depending on who pre-loaded the apps) is not up to anything shady or try to remove them (sometimes you can’t). Or, if you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do. In his case, he wanted to known what the AnalyticsCore (AnalyticsCore.apk) in his Xiaomi Mi4 does as there was no information online about it.” (Source: Help Net Security)
  • Spyware Targeting Overseas Travelers Removed From Google Play. “Google booted four spyware-laced apps from Google Play that targeted oversees travelers seeking embassy information and news for specific European countries. The apps gathered user information from Android phones including: contacts, email, GPS data, phone type, device ID and identified if the phone had been rooted, according to Lookout’s Security Research and Response Team which made the discovery.” (Source: Kaspersky’s Threatpost)
  • Social Media Now On Conflicts’ Front Lines. “The global growth of social media has been so fast, and the effect of ‘trending’ so widespread, that even this observation is outdated. (That was 137 characters, so I could also tweet it.) But while we are living in real-time—and wanting to know now—let us take a few minutes, if this article can hold your attention, and examine some ways social media is now on the front lines of many international conflicts.” (Source: Foreign Policy Blogs)
  • PwC Launches ‘Game of Threats’ In The UK. “With nearly three quarters of UK CEOs regarding cyber security as one of the top three risks to their organisations, along with over-regulation and geopolitical uncertainty1, it’s clear that increasing cyber threats and the number of recent public breaches is moving cyber security up the list of top business priorities. But if systems were breached and time was ticking, would boards and leadership teams be ready to respond? PwC’s Game of Threat – an interactive cyber breach simulation for senior executives – has today been launched in the UK. The head-to-head digital card game pits teams of attackers against defenders and is designed to simulate the experience that leadership teams could realistically face in the midst of a cyber attack.” (Source: IT Security Guru)
  • What’s The Risk? 3 Things To Know About Chatbots & Cybersecurity. “Chatbot technology is still in its infancy, but it’s quickly being embraced by businesses because of its vast potential for sales, marketing, and customer service. Chatbots stand to help organizations build deeper relationships with their customers and improve service quality, while at the same time save money by automating certain administrative tasks. However, as organizations build and deploy enterprise chatbots, it’s important to step back for a moment and consider the security implications of this brave new technology.” (Source: Dark Reading)
  • Will Tracking Digital Harassment Help Defend Against Internet Trolls? “Almost a year after his teenage daughter’s attacker was sentenced in a high-profile sexual assault case, Alexander Prout hoped his family could get back to normal. But relief from the torment his family experienced after his daughter was assaulted at St. Paul’s School in Concord, N.H., and during the trial for convicted attacker Owen Labrie, a former student at the elite prep school, was short lived. Within days of the conviction, a detective from the Concord police department called to say strangers threatened the family on websites dedicated to outing sexual assault victims, and from other dark corners of the internet.” (Source: The Christian Science Monitor)
  • Tick, Tock, Tick, Tock: New Malware Is Hitting Your Network Every Four Seconds. “An exponential rise in malware means employees are at their highest-ever risk of accidentally installing malicious software onto an enterprise network — an event that happens every four seconds within the average company, a new report has warned. Security researchers at Check Point analysed information on over 30,000 security incidents discovered by the company’s ThreatCloud prevention software at more than 1,000 companies across the globe. They found that employees in industry, finance, government, and other sectors are very much taking a cavalier attitude to cybersecurity and downloading potentially harmful files to their company’s networks.” (Source: ZDNet)
  • Pentagon Goes ‘Back To Basics’ On Cyber. “It’s back to basics once a week for the CIOs of the military services and major agencies in the Pentagon. Every Friday they convene with Defense Department CIO Terry Halvorsen to go over the latest data from the department’s cybersecurity scorecard — and it can be an uncomfortable experience, according to Marianne Bailey, the principal director in the office of the deputy Defense CIO for cybersecurity.” (Source: Fedscoop)
  • Hacking ‘Forward’ With Weaponized Intelligence. “It is a transformational time in IT security. Advances in technologies associated with cloud computing, artificial intelligence and threat intelligence have sparked a new wave of innovation to counter threats against the enterprise and high value data. The problem is the hackers are innovating too. And they are motivated. As people and organizations rush to adopt new technologies, the bad guys are rushing to find and exploit new vulnerabilities before they are patched. It’s a headlong cyber arms race that has frustrated more than a few business leaders. ‘If the hackers can attack us,’ they wonder, ‘why can’t we hack them back?'” (Source: Dark Reading)
  • Payment Gateway Data Breach Exposes Financial Details Of 324,000 Users. “Attacking high profile websites and companies, stealing huge databases and dumping the data online seem to be the latest trend in the hacking community. In the latest breach, nearly 324,000 users have been affected as a payment gateway BlueSnap or its affiliate RegPack became a victim of data breach. The data has been dumped in a file that has been titled Bluesnap_324K_Payments.txt. None of these companies has admitted that a data hack has occurred. The worst part is that the data dump also includes CVV numbers of some users.” (Source: HackRead)
  • Android Scam Call And SMS Security Is Undone By HTML Exploiting Malware. “Android’s built-in protection, which flags warnings about apps trying to send premium rate messages without user consent, can be manipulated by malware to display a message controlled by malicious code. Researchers from MWR Labs discovered a flaw in the Android Telephony API, which handles SMS and MMS sending and receiving on an Android smartphone, and noted that it could lead to users being tricked into sending premium rate messages despite thinking they are being protected by Android’s security features. The security feature normally blocks premium messages with a prompt warning users of the cost and the app’s intentions, then asking them if the wish to continue to send the premium message.” (Source: TechWeek Europe)
  • Identity And Personal Data Theft Account For 64% Of All Data Breaches. “Data breaches increased 15% in the first six months of 2016 compared to the last six months of 2015, according to Gemalto. Worldwide, there were 974 reported data breaches and more than 554 million compromised data records in the first half of 2016, compared to 844 data breaches and 424 million compromised data records in the previous six months. In addition, 52% percent of the data breaches in the first half of this year did not disclose the number of compromised records at the time they were reported.” (Source: Help Net Security)
  • Education Now Suffers The Most Ransomware Attacks. “When you think ransomware victim, most likely your first thought is a hospital. But a new survey of ransomware’s spread among different industry sectors shows that education is actually the biggest target right now. BitSight, which rates the security posture of organizations based on external data showing malicious activity surrounding them, in a new report today found that education is hit most by ransomware attacks, followed by government, healthcare, energy/utilities, retail, and finance.” (Source: Dark Reading)
  • Bumble Will Soon Let Users Get Verified In An Effort To Squash Impersonators. “For some reason certain people feel the need to create a dating profile using someone else’s pictures. Whether it’s done to impersonate someone else, bully someone or even just pull a prank, it happens more than you’d think. Luckily Bumble thinks they have found a pretty innovative way to stop it from happening, at least on their platform. The female-led dating app just announced that they are launching photo verification as a way to rid impersonators from the platform.” (Source: TechCrunch)
  • Bad Security Habits Persist Despite Rising Awareness. “While the huge number of cybersecurity incidents are helping to raise awareness of security best practice, many organizations are persisting with bad habits that leave them exposed to hackers and data breaches. According to CyberArk’s Global Advanced Threat Landscape Survey 2016, 79% of organizations feel they have learned lessons from cyber-attacks and improved security, however the most popular action taken by respondents is the deployment of malware protection (25%), followed by endpoint security (24%). Security analytics was deployed by just 16% of respondents.” (Source: InfoSecurity Magazine)
  • Enterprises: Only Paying Attention To Big-name Hacks? You May Be Missing The Point. “Security professionals are more likely to pay attention to breaches if the companies being breached already have recognizable names. Seems like common sense. You see a headline that says, ‘Target point of sale technology hacked,’ you’re much more likely to pay attention than, ‘Hospital in Kentucky suffers from ransomware attack.’ Unless you live in Kentucky. Security teams that do this, however, might be missing the big picture of how broad security incidents are and how they don’t just impact top names — everyone is at risk.” (Source: Lookout Blog)
  • A Frustrating Conversation About Privacy With Google’s New Allo Chatbot. “With news that Google has backtracked on its promise to not log all conversations by default on its new chat app Allo, I decided to take its next-generation artificial intelligence for a spin. We’ve seen that the masses aren’t willing to enable strong encryption settings that protect privacy; in order to be useful, they must be enabled by default. So I wanted to chat with Allo’s ‘Google Assistant’ to see how upfront the assistant is with its users.” (Source: Motherboard)
  • Hackers Sell Tool To Spread Malware Through Torrent Files. “Be careful with what you torrent. A new tool on the black market is helping hackers distribute malware through torrent files in exchange for a fee. On Tuesday, security researchers at InfoArmor said they discovered the so-called ‘RAUM’ tool in underground forums. It leverages torrenting — a popular file-sharing method associated with piracy — to spread the malware. Popular torrent files, especially games, are packaged with malicious coding and then uploaded for unsuspecting users to download. Using torrents to infect computers is nothing new. But the makers of the RAUM tool have streamlined the whole process with a “Pay-Per-Install” model, according to InfoArmor.” (Source: CSO)
  • Bug That Hit Firefox And Tor Browsers Was Hard To Spot—Now We Know Why. “A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month […] While the windows were open, the browsers failed to enforce a security measure known as certificate pinning when automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle position and a forged certificate impersonating a Mozilla server could surreptitiously install malware on a user’s machine.” (Source: Ars Technica)
  • Malware Evades Detection With Novel Technique. “Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment. The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present. Fenton, who discovered the malware after several failed attempts to trigger the sample into acting maliciously, said the typical lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar.” (Source: Kaspersky’s Threatpost)
  • Dropbox ‘Hacks’ Macs, Developer Warns. “A developer’s discovery of a sneaky trick used by Dropbox to gain wide-ranging access to Apple Mac OS X computers has infuriated some users, who allege the popular application is acting in a manner that’s similar to malware. Dropbox officials have downplayed the finding, saying its Mac desktop app requires the modification to function correctly. But that hasn’t stopped some users from vowing to never to use the file-sharing application again. The warning over the apparent liberties taken by Dropbox’s software comes via Phil Stokes, a developer and freelance writer who authors the Applehelpwriter blog. Stokes, who digs deep into the workings of OS X, said he couldn’t figure out why it seemed to be impossible to eliminate Dropbox from Apple’s accessibility menu, which falls under the operating system’s security and privacy options.” (Source: InfoRisk Today)

Safe surfing, everyone!

The Malwarebytes Labs Team